Sunday, November 14, 2010

Windows Event Logs and F-Response

I have been looking to better define my ability to identify, preview and analyze Windows logs.  When I am looking at identifying key information/evidence to acquire from a target system, I found that the area of Windows Event logs was not as well defined as I would like (in terms of a defined methodology).  I set out to find a solution for analyzing Windows Event logs on both remote systems, as well as over a write-protected connection (such as F-Response).  I am aware that Windows has it's build in Event Viewer; however, my experiences with this application have been less than satisfying for the purpose of forensic documentation.

Here's what I found...

Tools I used:
1.  F-Response (Tactical Edition).
2.  Windows 7 Ultimate (Examiner's machine).
3.  Windows 7 Starter Edition (Target machine).
4.  Cross-over cable.
5.  Event Log Explorer v3.3  (by FSPro Labs).

a.  I connected my Examiner laptop and the Target laptop via a cross-over cable, and allowed the laptops to each assign an IP address.
b.  Started F-Response on each machine with the write-protected Subject and Examiner's dongles.  Connection established:












c.  Started Event Log Explorer on the Examiner's machine.  When the program starts, it automatically enumerated my Examiner's machine (local). 
















d.  To avoid any confusion/contamination, I removed my local machine from the Computer Tree.  This leaves the column blank, ready to enumerate your remote machines, or other locally identified event log files.
















e.    I saved the workspace with an identifiable name.
























f.  In  Event Log Explorer, I selected   File > Open Log File > Direct  and pointed to the TARGET system that I had mounted using F-Response. 

**  The Windows Event Logs were found at \Windows\System32\winevt\Logs **



g.  I then loaded one of several different Event Log files - in this case, I loaded "system.evtx".  Like with any log, I was presented with thousands of entries - 25,385 to be precise.









h.  And this is where I found Event Log Explorer to take off, in terms of features.  I am familiar with using a more robust Log Analysis tool such as Splunk, so I am aware of the importance of learning about filters.   Filtering is straight-forward, and I'd recommend it. 















And this leads to filtered results:

















i.  I also used color coding to better identify my filtered Event Logs, based on any of the criteria present in the Event Log.  The coding is completely configurable.











j.  Reporting - you can export your Event Log in one of many formats including HTML, tab separated and Excel formats.









While Event Log Explorer excels at offering flexible filtering and reporting, I personally found the most useful feature is the ability to merge logs.  When logs are merged, and then properly filtered, I found that I could create a very good timeline of a systems event logging.  In combination with tools such as RegRipper, these tools are invaluable when attempting to (in Chris Pogue's terms), conduct your "Sniper Forensics".

Conclusion:  
I believe that the noted programs offer a useful solution for previewing and collecting evidence from Windows Events Logs, in a live-analysis situation.  My preference will alway be to conduct a full analysis at the lab;  in circumstances where one needs to conduct an at-scene triage, this combination of tools may assist.

ps.. I was wondering how this tool (Event Log Explorer) would work within WinFE.  I had just burned off my most recent version, so this may have to wait.  I can tell you that I tested the installation directory of Event Log Explorer by copying it to a USB Drive, and trying the tool on a different computer.  It worked very well, however prompted for my Registration key (I entered 30 day demo and continued on). 

Some references on Windows Event Logs
Event Logs (TechNet)
Event Viewer  (TechNet)